We need to encrypt our databases. One of the issues is that in native TDE the security keys are not managed away from the data. Based on what I've read EKM solves this issue.

I'd like to know if anyone who's worked with EKM can chime in here with their experiences. Also, does it always have to interface with a HSM or are there software based solutions that we can install ourselves onto our own hardened servers? Are there any free solutions or are all key management solutions paid?

I tech reviewed the 2005 Encryption book and at the time, all the EKM integrations were hardware appliances that cost $$. I believe Thales and Safeguard were the two I tested. They worked well, but were expensive, and you needed 2 of them to ensure you could access data.

I believe there are more providers, but I don't think there are any software only solutions. I think all items are hardware based.